IETF Logo Mail Archive

Re: [kitten] Stating support for HTTP-SASL on the HTTP WG list

Nico Williams <nico@cryptonector.com> Wed, 08 February 2023 04:00 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B75A0C14CF1E for <kitten@ietfa.amsl.com>; Tue, 7 Feb 2023 20:00:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nP8kWfH1b-DG for <kitten@ietfa.amsl.com>; Tue, 7 Feb 2023 20:00:50 -0800 (PST)
Received: from buffalo.tulip.relay.mailchannels.net (buffalo.tulip.relay.mailchannels.net [23.83.218.24]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C8737C14CF1B for <kitten@ietf.org>; Tue, 7 Feb 2023 20:00:49 -0800 (PST)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 54E9A141C62; Wed, 8 Feb 2023 04:00:45 +0000 (UTC)
Received: from pdx1-sub0-mail-a299.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id DA812141C27; Wed, 8 Feb 2023 04:00:44 +0000 (UTC)
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1675828844; a=rsa-sha256; cv=none; b=P6igDP9HlU5yZ3It0JHnQJIBGAZuQ7/2ZgTo1zA1lGlUMKs80LLfK2N0Ul1P+JtEW+McX2 s6hw474IIR0FmW89ew9vfpFNZwEr1clVaEpnRq78VRtKWHwIS8TVoBm1dAnUqVZGCkMPHR Xn5HaV7ly2GxlsBFpplN8ArYFQO/SNdBAUC22gjejlshG27owA2ZwdxnDdBNHQ5YNjVInX vzZ8iaY0gJVIwzVMe9sUD1gwIOZTlVsI/kY7/ca7bZ8uBDDhlJjqwiELnn3NBSwo7HpgD9 UjFnjkbFrc3LZSBZMitJwf2FJN0CV6SQqMgBbYI5Eypvmn7I/ECt2dsE6s9Xqw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1675828844; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references:dkim-signature; bh=06zHOPZNjIgFU5IxfzMomFsa+Zya20Ar7au+a9/qb2s=; b=hnRJOFLaScvaLdKZjq4LOTdEXxse77wH6YS3Fl33qsW9vnzKyLk+u1+Zx/xc8JYpcAlCLU l0k5LkevvLaO8Pila5EfzHaDxjyTYxVBDjKKdWGmsZWmX2+gPZ2r4EmHdwFJr8Hn0vsKJU psBT8q+Lg7UCplW+ZjDIXqSpNWhWeDBELJeznRxihiqO6Xeb3WaFU5rOSDlL0COOYrrVqr MuUT/Pk8mZlSvStWBgGYm5agKCi9ojexD4hdGclJjYepcyJR27oxkTbMuFH9ylGnGUzs3i XwOUVSyW2CorwPcmyE8EC0z7rLSQgMlbNFsS8R6hnW+1yFegafF8l59KdNRd+w==
ARC-Authentication-Results: i=1; rspamd-8d84bcd9f-gs5dd; auth=pass smtp.auth=dreamhost smtp.mailfrom=nico@cryptonector.com
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Celery-Eyes: 1f633aa7053ba853_1675828845148_3055700961
X-MC-Loop-Signature: 1675828845148:828975627
X-MC-Ingress-Time: 1675828845148
Received: from pdx1-sub0-mail-a299.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.103.24.28 (trex/6.7.1); Wed, 08 Feb 2023 04:00:45 +0000
Received: from gmail.com (075-081-095-064.res.spectrum.com [75.81.95.64]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a299.dreamhost.com (Postfix) with ESMTPSA id 4PBR9m1qL2zFM; Tue, 7 Feb 2023 20:00:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cryptonector.com; s=dreamhost; t=1675828844; bh=06zHOPZNjIgFU5IxfzMomFsa+Zya20Ar7au+a9/qb2s=; h=Date:From:To:Cc:Subject:Content-Type; b=uX0nm3f99vM/OpMxacOQ35VCdYkqQX5h6l0qCn+HmVQyPm09EevS0/s1GFgFfkJ/d LAt17MtzjCDXEdsswd4vEZ/jioKK3QP0I457tqx+PCxD3WZbqmlqJFMEZYZTHCWhlJ nimO+XdoTITeh38We89zOJ9GLMMchp937KCdy850kHlEI/PX/I8avKzxG9y7sg0fsM lvcQQkhK//OCIx5FxvH3EJvxuO+Od5zvGn4r4IqDpBLVr6+D8a3E2zZKRzNWx0W7Vl ZKzcfKemCDiVbY/x9DVHZrHUB+Dwx3vlch8cMh2Tq6k9qlqgRyuRvRnxloXnGQuCs8 aN+XcuBjtlnmg==
Date: Tue, 07 Feb 2023 22:00:41 -0600
From: Nico Williams <nico@cryptonector.com>
To: Ken Hornstein <kenh@pobox.com>
Cc: kitten@ietf.org
Message-ID: <Y+MeaW2sp6b4P+Ba@gmail.com>
References: <20230127160101.GB635@openfortress.nl> <Y9QOTlS5Pmv47brx@gmail.com> <20230207102348.GA30583@openfortress.nl> <Y+J9Gj4rrZnbqHs5@gmail.com> <60a48e1d-b0a1-44ad-9316-4d2982912553@app.fastmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <60a48e1d-b0a1-44ad-9316-4d2982912553@app.fastmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/y8_53m2z-_U-xIuHEW308y-wFtY>
Subject: Re: [kitten] Stating support for HTTP-SASL on the HTTP WG list
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Feb 2023 04:00:54 -0000

On Tue, Feb 07, 2023 at 08:49:59PM -0500, Ken Hornstein wrote:
> You know, I've thought a fair amount about this and I've never really
> been convinced that having the API pick the "best" mechanism out of a
> list is a good idea in the general case.

I tend to agree.

> First, [...]

> Secondly, automatic negotiation tends to "flatten" error reporting.
> [...]

Yes.

> Thirdly, it never seemed to be a good idea to me to automatically pick
> a security mechanism; it seems like what you really want is to specify
> it explicitly. [...]

That's not going to work in HTTP land outside of command-line tools.
User-agent driven interaction for authentication is just not welcomed.
So much so that I think the only thing worth doing in HTTP-land is to
fix up redirect-based authentication so that `Authorization:` headers
can be copied from redirect responses to redirected requests.

I.e., I think adding SASL mechanisms to HTTP will be of marginal use --
not so marginal that I don't think it's worth doing, but not that
enticing either.  And I _believe_ advertising SASL mechanisms separately
will make it harder to adopt.

>         [...]. Most of the SASL security mechanisms have very
> different properties and they're not interchangeable. I realize that's
> not true for all of them and some would be an upgrade from older
> mechanisms, but it's not true in the general case. The better
> applications I've seen that support SASL require you to explicitly
> pick the mechanism you expect to be using. I realize that is not the
> norm in the HTTP world today, but that seems to me to be because there
> is mostly ONE authentication mechanism (basic) in use today. I could
> see a case where a HTTP user-agent tries a bunch of mechanisms and the
> first one that succeeds it remembers and picks that one the next time.

Negotiate is widely used in the enterprise, but not at all on the public
web.  NTLM is still somewhat used in the enterprise, but should really
go away.  Bearer is also used in the enterprise but not on the public
web.  Basic is widely denigrated, hated and avoided.

Only redirect-based schemes (i.e., not HTTP authentication schemes
proper) like OIDC are widely used in the public web and enterprise with
browser user-agents.

I don't see how that changes in the public web.  In the enterprise it's
another story.  Making the various major browsers pluggable for
authentication schemes may allow for adoption of new schemes in the
enterprise, but that's probably it.

I've spent a lot of time in the past several years on bridging
authentication schemes because having just one is not really an option.
Things like JWT token vending that accepts Negotiate (and vice-versa),
online PKI CAs that accept JWT or Negotiate, services that accept JWT
and then impersonate the user using PKINIT to vend a TGT (this could
have been an AS extension, but that was a lot more work), etc.  Having
bridges like that makes it easier to add new schemes, but it's not like
we're clamoring for more schemes!  Apart from PAKEs, what more do we
need?

> This is kind of rambling, and getting back to your original point
> advertising SASL mechanisms together is probably still worthwhile.

You got me rambling too :)

Rick proposes to advertise SASL mechanisms together and separately from
non-SASL HTTP authentication schemes.  I propose to advertise each SASL
mechanism as an HTTP authentication schemes.  This is close to
bikeshedding -- I think the latter will prove easier to implement, but
obviously I've not tried to implement, and everything will depend on
what HTTP user-agent one might be adding SASL support to.

Nico
--

v2.23.0 | Report a Bug | By Email